DLL Injection

From enterprise
Revision as of 12:21, 11 July 2017 by Default (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
DLL Injection
Technique
ID T1055
Tactic Defense Evasion, Privilege Escalation
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
Permissions Required User, Administrator, SYSTEM
Effective Permissions User, Administrator, SYSTEM
Data Sources API monitoring, Windows Registry, File monitoring, Process monitoring
Defense Bypassed Process whitelisting, Anti-virus

DLL injection is used to run code in the context of another process by causing the other process to load and execute code. Running code in the context of another process provides adversaries many benefits, such as access to the process's memory and permissions. It also allows adversaries to mask their actions under a legitimate process. A more sophisticated kind of DLL injection, reflective DLL injection, loads code without calling the normal Windows API calls, potentially bypassing DLL load monitoring. Numerous methods of DLL injection exist on Windows, including modifying the Registry, creating remote threads, Windows hooking APIs, and DLL pre-loading.12

Examples

  • An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).3
  • Backdoor.Oldrea injects itself into explorer.exe.4
  • BlackEnergy injects its DLL component into svchost.exe.5
  • Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary.6
  • Derusbi injects itself into the secure shell (SSH) process.7
  • Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).8
  • Elise injects DLL files into iexplore.exe.9
  • Emissary injects its DLL file into a newly spawned Internet Explorer process.10
  • Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process. Gazer performs a separate injection of its communication module into an Internet accessible process through which it performs C2.1112
  • HIDEDRV injects a DLL for Downdelph into the explorer.exe process.13
  • JHUHUGIT performs code injection injecting its own functions to browser processes.14
  • Matroyshka uses reflective DLL injection to inject the malicious library and execute the RAT.15
  • PoisonIvy can load DLLs.16
  • After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system.17
  • Remsec can perform DLL injection.18
  • Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.19
  • Taidoor can perform DLL loading.20
  • performs multiple process injections to hijack system processes and execute malicious code.21

Mitigation

Mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.

Identify or block potentially malicious software that may contain DLL injection functionality by using whitelisting22 tools, like AppLocker,2324 or Software Restriction Policies25 where appropriate.26

Detection

Monitoring API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as WriteProcessMemory, may be used for this technique.

Monitor processes and command-line arguments for actions that could be done before or after code injection has occurred and correlate the information with related event information. Code injection may also be performed using PowerShell with tools such as PowerSploit,27 so additional PowerShell monitoring may be required to cover known implementations of this behavior.

References

  1. ^  Kuster, R. (2003, August 20). Three Ways to Inject Your Code into Another Process. Retrieved November 12, 2014.
  2. ^  DLL injection. (n.d.). Retrieved November 12, 2014.
  3. ^  Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  4. ^  Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  5. ^  F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  6. ^  Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  7. ^  Perigaud, F. (2015, December 15). Newcomers in the Derusbi family. Retrieved December 20, 2017.
  8. ^  Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  9. ^  Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  10. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  11. ^  ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  12. ^  Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  13. ^  ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  14. ^  F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.

"Windows Server 2003" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows Server 2008" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows Server 2012" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows XP" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows 7" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows 8" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows Server 2003 R2" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows Server 2008 R2" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows Server 2012 R2" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows Vista" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows 8.1" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.
"Windows 10" is not in the list (Linux, Windows, macOS) of allowed values for the "Has platform" property.